-
Committer:
Package Import Robot
-
Author(s):
Arno Töll
-
Date:
2011-12-20 11:36:09 UTC
-
mfrom:
(1.1.18)
-
Revision ID:
package-import@ubuntu.com-20111220113609-kq30ty6qrigt1ryv
Tags: 1.4.30-1
* New upstream release
+ Fix integer overflow (CVE-2011-4362) (Closes: #652726)
+ Fix attack vector as disclosed by the SSL BEAST attack (related:
CVE-2011-3389). Note: If you are upgrading from an older version you need
to change your configuration to mitigate effects of the attack. See the
corresponding NEWS file for details.
+ Count SSL renegotiations to prevent client renegotiations
* Urgency set to medium due to security updates.
* Adapt to dpkg 1.16.1 API changes regarding build flags. This enables
hardening build flags. This means, lighttpd is now being built with
-fstack-protector and other security related build flags.
* Add dpkg-dev (>= 1.16.1~) to build-depends to make sure our buildflags are
properly supported. That's guaranteed for Testing, but might be helpful to
know for backporters.
* Fix "Doesn't remove /etc/lighttpd on purge" by removing dangling symlinks
/only/. This does not entirely fix the problem of the maintainer, but we can
not simply remove all files in /etc/lighttpd as other packages or the user
himself might have left configuration files back (Closes: #642494)
* Fix "please include systemd service file" Support systemd as alternative to
sysvinit, ship systemd and tempfiles.d configuration files. Thanks to
Michael Stapelberg for providing the required files (Closes: #652442)